Why you should turn off your iPhone if the police stop you.
CAN THE POLICE COMPEL YOU TO UNLOCK YOUR PHONE? Why you should turn off your iPhone if the police stop you.
Recent advances in cryptographic technology and the widespread use of free, open-source cryptography have made encrypted information pervasive in our everyday lives. Apple and Google have both announced that their latest mobile operating systems will be encrypted and the manufacturers will be unable to decrypt the phones even if ordered to do so. Additionally, all Apple iPhones since the iPhone 3GS have used built-in encryption. This article provides a primer to encryption, and whether police officers can compel you to provide your password.
Officers can compel individuals to provide their fingerprint to unlock a phone. The iPhone 5S, 6, 6 Plus, iPad Air 2, and iPad mini 3 are all equipped with “TouchID.” Users of these devices are allowed to unlock their devices using only their fingerprints. The easiest way for users of these devices to avoid being compelled to provide their fingerprint to unlock their device is to restart the phone. Once the device is turned off, it will require a passcode on restart before TouchID will be active again.
I. A Primer to Encryption
Encryption is the process by which information is converted from a form that can be understood by anyone (“plain text”) into a form (“ciphertext”) that only be read by someone who has the “encryption key.” In modern times, where information is commonly stored electronically, the key takes the form of a complex algorithm that converts plaintext into ciphertext. The term cryptography, which is the science of encryption and decryption, comes from the Greek words “kryptos” and “graphos,” which together mean “hidden writing.”
Encryption, in its many forms, has played an important role in keeping communications secret since humans first started sending messages to each other. Encrypted messages have been sent by means of hieroglyphics and smoke signals. Early Americans relied on encryption to keep their communications secret during the time of the American Revolution. After the Revolution, prominent figures like Benjamin Franklin and the first Chief Justice of the United States Supreme Court continued to be known for their use of encrypted documents. Benjamin Franklin invented ciphers that were used by the Continental Congress. He even went as far as printing a book on the use of ciphers. John Jay, the first Chief Justice of the Supreme Court used ciphers for all diplomatic correspondence made while he was outside of the country.
In recent years, the level of encryption available to the general public has far outpaced the government’s technological capabilities to decrypt the information. A brute force attack is an attempt to decrypt information by trying every possible key combination until the right key is found. The number of possible keys depends on the level of encryption, which is commonly measured in terms of bits. The most common level of encryption used today is 128-bit encryption. After years of studying encryption and the rate at which computers have improved, the European Network of Excellence in Technology reported last year that it would take at least thirty years before 128-bit encryption could be defeated in a timely manner. The report was the culmination of over four years of research into encryption, brute force attacks, and increases in computational power over time. Even taking into consideration significant future projected increases in computational power, such as the advent of quantum computing, the organization expects 256-bit encryption will remain a highly recommended level of encryption for the foreseeable future.
Despite the difficulty in decrypting even 128-bit encryption, commonly available software now allows users to encrypt their data using much stronger levels of encryption. As a result of the advances in encryption technology, law enforcement agents and the intelligence community looked to the courts to compel encryption keys through court orders and grand jury subpoenas.
II. The Fifth Amendment Implications of Compelling Password Production
The Fifth Amendment protects individuals from being compelled to be witnesses against themselves. For the Fifth Amendment protection to apply, a statement must be (i) compelled, (ii) testimonial, and (iii) incriminating.
In re Boucher, the first case in federal court to deal with the compulsion of cryptographic keys, was decided in 2007. Sebastian Boucher was crossing the Canadian border into the United States when his vehicle was stopped for a routine border inspection. Officers found a laptop on the backseat of the vehicle and proceeded to access the files on the computer. The investigating officer was able to inspect the contents of the laptop without being prompted to enter a password. The officer noticed a number of files with names suggesting the files might be child pornography. He then asked a special agent trained in recognizing child pornography to assist with the investigation. The special agent viewed the files and determined they were images and videos of child pornography.After placing Boucher under arrest, they seized his laptop computer and powered it down.
When law enforcement agents later tried to access the files on the laptop, they discovered the hard drive was encrypted and a password was required to access the hard drive when the computer was powered on. A special agent trained in computer forensics testified before a grand jury that there were no known backdoors to the encryption software Boucher had used by which law enforcement might defeat the encryption. The special agent also testified it would be virtually impossible to guess the password in any reasonable amount of time because it could take years for an automated program to try every possible encryption key combination. Based on the special agent’s testimony, the grand jury subpoenaed Boucher to divulge the encryption key. Boucher refused and moved to quash the subpoena. At trial, United State Magistrate Jerome Neidermeier held that compelling Boucher to reveal his key would violate the Fifth Amendment.
On appeal, the state changed its strategy and instead of requesting production of the cryptographic key itself, the state requested that Boucher enter his cryptographic key to unlock the hard drive, thereby granting investigators access to the drive without forcing Boucher to divulge the key. The United States District Court ordered Boucher to enter his cryptographic key as requested. The court held that the Boucher had no act-of-production privilege that would protect him from providing the grand jury with an unencrypted version of the disk. The court, relying on Second Circuit precedent, ruled that although the entire contents of the hard drive was not known, it was a foregone conclusion that the disk contained evidence of child pornography since the government could show “with reasonable particularity that it kn[ew] of the existence and location of the subpoenaed documents.”
While Boucher was required to turn over his password, the court reached its decision because the state already knew what was on the hard drive. Essentially there is a “foregone conclusion” to the Fifth Amendment privilege against self-incrimination
In 2012, the Eleventh Circuit determined that individuals cannot be compelled to decrypy hard drive contents when the defendant had not provided law enforcement information as to what is contained on the encrypted drive. United States v. Doe (In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011), 670 F.3d 1335 (11th Cir. 2012). The case arose after police seized computers and external hard drives they tracked using internet protocol addresses they had reason to believe contained child pornography. The defendant was held in contempt after refusing to decrypt the laptops and hard drives for law enforcement. On appeal, the Eleventh Circuit held that decryption and production of the contents of the hard drive would be testimonial and did trigger Fifth Amendment protections.
III. BIOMETRIC SECURITY: Why You Should Turn Off Your iPad/iPhone if You are Stopped
Today, phones and tablets are commonly secured using fingerprints. Computers are regularly secured with fingerprints and are sometimes encrypted with iris scans. While biometric scans offer better security to the average user, there is a distinct downside for everyday users. Unlike a password, which requires something you know to access your data, a biometric scan only requires something you have. In other words, the Fifth Amendment is not implicated in providing a fingerprint or iris scan, where being required to provide a password would give rise to Fifth Amendment protections.
Last week in a Virginia Circuit Court judge ruled that officers can compel individuals to provide their fingerprint to unlock a phone. The defendant in that case, David Baust, was charged with an assault-strangulation case. The police had reason to believe the fight may have been recorded on Baust’s phone and sought to compel him to unlock his cell phone. Judge Steven Frucci ruled that providing a fingerprint does not implicate the Fifth Amendment because fingerpritns are nontestimonial in nature. It is no different than being compelled to provide a DNA sample or a physical key: it is something you have, not something you know.
The iPhone 5S, 6, 6 Plus, iPad Air 2, and iPad mini 3 are all equipped with “TouchID.” Users of these devices are allowed to unlock their devices using only their fingerprints. The easiest way for users of these devices to avoid being compelled to provide their fingerprint to unlock their device is to restart the phone. Once the device is turned off, it will require a passcode on restart before TouchID will be active again.
Comments or questions are welcome.